Business Owner’s Guide to CMMC
Ep 6: Audit & Accountability
Watch episode 6 of our Business Owner’s Guide to CMMC series with Ben Scully (Avatara) and Dan Langley (Lupa Advisors), or read the transcript below. Stay tuned weekly for new episodes containing actionable insights and an overview of each CMMC domain.
BEN: Okay, so our third domain here is Audit and Accountability. I know from my perspective, the first couple make a lot of logical sense to non-technical people. I’m actually a non-technical person, I don’t know if you knew that. The Audit and Accountability…this is the first one that’s kind of technical and a little bit fuzzy, I think, to most businesspeople. So, let’s try to simplify it a little bit and what we’re trying to accomplish.
DAN: It sounds like that that fearsome course in business, you know? It’s kind of like, what do you have this semester? I have Audit and Accountability. It’s like, oh good luck with that one. But when you look at it from a CMMC perspective, it is detailed. There are nine different controls that they have in place for this, and they spell out to the detail exactly what you do. Big animal picture, it’s the data. Who had access to what and when did this happen? It’s not a question of, when will you be breached? It’s if you get attacked, those are the little pieces of nuggets that we’re going to go back to. How did they get in? Where did they get in from? Who is doing what? It’s that data, which is a lot of data. It’s those logs. It’s timing those logs to a single time source so you can look across your devices and say this log and this log, they’re referencing the same time source so I can have a realistic picture. If you don’t do that, it’s going to be haywire.
BEN: Yeah, I think this is the first category, depending on the size of the organization, that is oftentimes outsourced to a SIEM or some sort of managed security organization. But I agree with you, there is kind of this ongoing thing that you have to be doing but the most important part of this category, I think, is for when the hack happens, being able to dive in and look through the logs and see how it happened and make sure that you’re shoring things up so it doesn’t have happen again.
DAN: Right, looking at those logs, but also, how do I know the log is actually logging? Did the log get turned off? As a hacker, they go in and the first thing they want to do is basically turn off logging. Why? It hides their actions. So, these are the controls in place that say: am I gathering the right information, off the right systems, timed to a source, and have alerts in place so I know that I’m covered should I need that data later?
BEN: Yep perfect; that’s helpful.
Watch Episode 7 on Configuration Management.
Need help getting compliant?
Avatara’s DoD Platform is a turnkey solution for centralized data and easier compliance. Schedule a free consultation today to learn more.